Cooking with Apache, Part 2

Editor's note: Last month, we published our first batch of recipes from the recently released Apache Cookbook. This week, we've excerpted three more samples. Find out how to make part of your web site available via SSL, how to place a CGI program in a directory that contains non-CGI documents, and how to redirect a 404 ("not found") page to another page (such as the front page of the site) in these latest samplings.

Recipe 7.4: Serving a Portion of Your Site via SSL

Problem

You want to have a certain portion of your site available via SSL exclusively.

Discussion

It is perhaps best to think of your site's normal pages and its SSL-protected
pages as being handled by two separate servers, rather than one. While they may
point to the same content, they run on different ports, are configured
differently, and, most importantly, the browser considers them to be completely
separate servers. So you should too.

Don't think of enabling SSL for a particular directory; rather, you should
think of it as redirecting requests for one directory to another.

Note that the Redirect directive preserves path information, which means that if a request is made for
/secure/something.html, then the redirect will be to https://secure.domain.com/secure/something.html.

Be careful where you put this directive. Make sure that you only put it in
the HTTP (non-SSL) virtual host declaration. Putting it in the global section of
the config file may cause looping, as the new URL will
match the Redirect requirement and get redirected
itself.

Finally, note that if you want the entire site to be available only via SSL, you can accomplish this by simply redirecting all URLs, rather than a particular directory:

Redirect / https://secure.domain.com/

Again, be sure to put that inside the non-SSL virtual host declaration.

You will see various solutions proposed for this situation using RedirectMatch or various RewriteRule directives. There are special cases where this is necessary,
but in most cases, the simple solution offered here works just fine.

It it important to understand that this Redirect must
appear only in the non-SSL virtual host, otherwise it will create a condition
where the Redirect will loop. This implies that you do in
fact have the HTTP (non-SSL) site set up as a virtual host. If you do not, you
may need to set it up as one in order to make this recipe successful.

This is, of course, an oversimplified example and is meant only to illustrate
the fact that the Redirect must appear only in the non-SSL
virtualhost to avoid a redirection loop.

The other two solutions are perhaps more straightforward, although they each
have a small additional requirement for use.

The second recipe listed, using SSLRequireSSL, will work
only if you are using Apache 2.0. It is a directive added specifically to
address this need. Placing the SSLRequireSSL directive in a particular <Directory> section will ensure that non-SSL accesses to that directory are not permitted.

The third recipe, using RewriteCond and RewriteRule directives, requires that you have mod_rewrite installed and enabled. Using the RewriteCond directive to check if the client is already using SSL, the RewriteRule is invoked only if they are not; in
which case, the request is redirected to a request for the same content but
using HTTPS instead of HTTP.